From f88da09f42d096e2b71b04f35728fcd0e1d76b21 Mon Sep 17 00:00:00 2001
From: Parfii-bot <parfionovichd@icloud.com>
Date: Fri, 1 May 2026 20:04:36 +0800
Subject: [PATCH] fix(ci): leak-check allowlists itself (workflow contains
 pattern as detection rule)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

leak-check.yml has the pattern 'denisparfionovich' as a literal in its grep.
On first run after install, it flags itself. Same fix as the local
.git/hooks/pre-commit — allowlist the workflow file alongside NOTICE/README.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/leak-check.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/leak-check.yml b/.github/workflows/leak-check.yml
index 55a2059..c853871 100644
--- a/.github/workflows/leak-check.yml
+++ b/.github/workflows/leak-check.yml
@@ -20,7 +20,10 @@ jobs:
         run: |
           set -e
           PATTERN='denisparfionovich|/Users/[a-z]+/Projects/KeiSeiKit-public/'
-          hits=$(git ls-files | xargs grep -lE "$PATTERN" 2>/dev/null | grep -vE '^(NOTICE|README\.md)$' || true)
+          # Allowlist: byline files (intentional copyright) + this workflow
+          # itself (it contains the pattern as a literal detection rule).
+          ALLOWLIST='^(NOTICE|README\.md|\.github/workflows/leak-check\.yml)$'
+          hits=$(git ls-files | xargs grep -lE "$PATTERN" 2>/dev/null | grep -vE "$ALLOWLIST" || true)
           if [[ -n "$hits" ]]; then
             echo "::error::username-path leak detected"
             echo "$hits" | sed 's/^/  /'